Re: Splunk non uniform event sampling

sssignals · ‎07-05-2019

Hi Splunk community

I wanted to know if Splunk event sampling can be customized such that there is sampling for events from -7d@d to -2d@d and no sampling for example, last 24 hrs of events.

I read the documentation so my conclusion is it cannot be done my way. Appreciate the confirmation from the Splunk community.

I have a lot of events to trend but obviously recent events are more valuable than older events and I really hope to speed up my scheduled reports via non-uniform sampling.

Many thanks.

DavidHourani · ‎07-05-2019

Hi @sssignals,

By default sampling applies to all the data you're calling in with your search. You can work around this by appending results to a search.

For example in you case, you can call your data for the last 24 hours then append from -7d@d to -2d@d and apply the sample command on that subsearchwhich is found here : https://docs.splunk.com/Documentation/MLApp/4.3.0/User/Customsearchcommands#sample

This will give you a mix of sampled and non-sampled results. There is one caveat though, you won't be able to run any stats on those results as averages/max/min/etc of sampled data don't really make sense. So it all really depends on what you're trying to achieve. If it's just mixing sampled and non-sampled then it'll work.

Let me know if that helps.

Cheers,
David

sssignals · ‎07-15-2019

Thanks DavidHourani. I will try it out and feedback.

Splunk non uniform event sampling

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!